I am trying to sandbox a user account to the point where it cannot edit or view any files beyond a certain folder, namely /home/user/test. This account will be compiling and running a C++ program that can subject the system to any command, and it cannot be able to modify or edit the system in any way.
This means disabling su and sudo, removing write (and some read) permissions from the entire system for this user, and keeping the program locked (jailed) inside its own folder. Is there anything else that I am missing?
Now for the implementation.
I believe that I can find the location of su and sudo by typing whereis su and whereis sudo, respectively. For sudo, for example, I can find that the binaries are at:
/usr/bin/sudo /usr/lib/sudo /usr/bin/X11/sudo /usr/share/man/man8/sudo.8.gz
If I change the permissions on these binaries to disallow execution for this user, will that prevent sudoing through other means, such as within other programming languages?
For "jailing" the program within a certain folder, it seems that chroot is ineffective, especially if the program needs access to other resources that are outside of the sandboxed folder. What is the best way to do this, then?
Aucun commentaire:
Enregistrer un commentaire